System Settings for Authenticated Scans

Applies to Product: USM Appliance™ LevelBlue OSSIM®

An authenticated scan is a vulnerability testing measure performed from the vantage of a logged-in user. The quality and depth of an authenticated scan depends on the privileges granted to the authenticated user account. The following are the recommended system settings for creating a designated account for authenticated scans.

Asset Scan Credentials and Escalation Options
Operating System Methods and Credentials Escalation
Windows Windows username and password through Server Message Block (SMB) None
Linux SSH password or public key authentication sudo or su
macOS SSH password or public key authentication sudo or su

Windows

General System Configurations Overview
Windows Configurations Settings
General System Configurations
  • Designated domain controller account
  • WMI Service enabled on target
  • Remote Registry enabled on target
  • File and printer sharing must be enabled in the target’s network configuration
Group Configurations
  • Designated security group
  • Group scope: Global Scope
  • Group type: Secure
  • Generate registry key
Policy Configurations
  • Designated policy object
  • Policy contains designated domain controller account
  • Designated security group is assigned to policy
  • User rights: Deny local log on, log on through remote desktop services, and write privileges
  • Permissions: Deny permissions for Set Value, Create Subkey, Create Link, Delete, Change Permissions, and Take Ownership

Creating a Windows Admin Account

LevelBlue recommends that the admin create a designated administrator account solely for the authenticated scans rather than using an established administrator account or a guest account. Create the Windows account using the name AV Authenticated Account and a secure password. The account configuration must be set to Classic: Local Users Authenticate as Themselves.

For more information about creating credentials for authenticated scans in USM Appliance, see Creating Credentials for Vulnerability Scans.

Creating a Security Group

To create a security group

  1. Log in to the Active Directory on the Domain Controller.

  2. Go to Start > Programs > Administrative Tools > Active Directory Users and Computers.

  3. Click Select Action > New > Group to create a new security group.

  4. Name the group LevelBlue Authenticated Scan.

  5. For Group Scope select Global.

  6. For Group Type select Security.

  7. Click OK to add the group.

    Details on the creation of a new security group.

  8. Add the account that you will be using for the authenticated scans to the LevelBlue Authenticated Scan group.

To create a group policy

  1. Click Start > All Programs > Accessories > Run, and then type gpmc.msc in the text box to open the Group Policy Management window.

  2. In the Group Policy Management window, right-click Group Policy Objects, and then select New.

  3. Name the policy LevelBlue Security Rights, and then click OK.

    Set up a new GPO in Group Policy Management.

  4. In the Group Policy Management Editor, click the LevelBlue Security Rights policy to open the policy in the right pane.

  5. Click on the Scope tab, and then in the Security Filtering section, click Add to insert the group.

  6. In the Enter the Object Name to Select field, add the LevelBlue Authenticated Scan group to the policy, and then click OK.

Configuring Policies

The following configurations are optional steps you can take in the Group Policy Management Editor to remove unnecessary user rights. These steps are not required for running the authenticated scans, but they do provide extra measures of internal security.

To deny local logins

  1. Right-click on the LevelBlue Security Rights policy, and then select Edit.

  2. In User Rights Assignment, double-click Deny Log on Locally.

  3. Click Add User or Group.

  4. Click Browse, enter LevelBlue Authenticated Scan, and then click Check Names.

  5. Click OK.

    Deny local log ins with the Group Policy Management Editor.

To deny Remote Desktop Services log

  1. Right-click the LevelBlue Security Rights policy, and then select Edit.
  2. In User Rights Assignment, double-click Deny Log Through Remote Desktop Services.
  3. Select Define These Policy Settings.
  4. Click Add User or Group.
  5. Click Browse, enter LevelBlue Authenticated Scan, and then click Check Names.
  6. Click OK.

To configure permissions

  1. Right-click File Systems, and then select Add File.

    Click Add File in File Systems

  2. Enter %SystemDrive%.

  3. Under Group or User Names, click Add.

  4. Enter LevelBlue Authenticated Scan.

  5. Click OK.

  6. In the LevelBlue Authenticated Scan group, select the authenticated user.

  7. Deselect any permissions that are marked in the Allowed column, and then select Deny for the Write permission.

  8. Click OK.

  9. In the Object window, select Configure This File or Folder Then and Propagate Inheritable Permissions to All Subfolders and Files, and then click OK.

To configure registries

  1. Click Registry, and then select Add Key.

  2. Select Users, and then click OK.

  3. Click Advanced, and then click Add.

  4. Enter the LevelBlue Authenticated Scan group, and then click OK.

  5. In the Permissions Entry Objects window's Apply To field, select This Object and Child Objects.

  6. In the Permissions section below, select Deny for Set Value, Create Subkey, Create Link, Delete, Change Permissions, and Take Ownership. No checkboxes should be set to Allow.

  7. Click OK and confirm the changes.

    Full display of all windows showing configurations and permissions

  8. Select Configure This Key Then and Propagate Inheritable Permissions to All Subkeys radio buttons, and then click OK.

  9. Repeat these steps for the Machine and Classes Root Registries as well.

Linux

To perform authenticated scans on USM Appliance from a Linux system, the user must have root privileges. The Linux login is performed through SSH, while USM Appliance performs the authentication either with a password or an SSH key stored in USM Appliance. The Linux account used for authenticated scans must be able to perform uname commands and read and execute Debian (.deb and .dpkg) or Red Hat (.rpm) files. Public Key Authentication must not be prohibited by the SSH daemon with the line PubkeyAuthentication no.

For more information about creating credentials for authenticated scans in USM Appliance, see Creating Credentials for Vulnerability Scans.

macOS

To perform authenticated scans on USM Appliance from a macOS, the user must have root privileges.

To enable SSH access on macOS

  1. Open System Preferences, and then select Sharing.

    macOS System Preferences, showing where Sharing is

  2. Select Remote Login.

    Sharing window with Remote Login selected

For more information about creating credentials for authenticated scans in USM Appliance, see Creating Credentials for Vulnerability Scans.